Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: mod_security and apache 2.2.4 |
|
| Author |
|
chuck1rar
Joined: 07 Feb 2006
Posts: 13
|
 Posted: Mon 12 Mar '07 7:43 Post subject: mod_security and apache 2.2.4 |
 |
|
Just upgraded to apache 2.2.4 and also latest build of mod_security.
But cant get them both working together now..
Below have included the script for mod_security but this has not changed since the last version so was trying to work out why apache will not start with mod_security... Any help would be appreciated.
Thanks
<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
#SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
SecServerSignature "NOYB"
#SecUploadDir logs
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/sec.log
## -- Common attacks --------------------
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
#SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
## -- PHP attacks --------------------
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
## -- Awstats-------------------------
SecFilterSignatureAction "log,deny,msg:'Awstats Attack'"
SecFilterSelective ARGS_NAMES "configdir"
## -- SQL Injection Attacks --------------------
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"
## -- Command execution --------------------
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
#SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
#SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
#SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
</IfModule> |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Mon 12 Mar '07 8:05 Post subject: |
|
|
| The latest is ModSecurity 2 which is not backward compatible with ModSecurity 1.x rules. See the readme in the .zip. |
|
| Back to top |
|
chuck1rar
Joined: 07 Feb 2006
Posts: 13
|
| Posted: Mon 12 Mar '07 8:08 Post subject: security |
|
|
| Yeah I know but was not using version 1.x before was on version 2.... |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Mon 12 Mar '07 22:46 Post subject: |
|
|
But above rules are 1.x rules.
Example of 2 rules:
| Code: |
SecRuleEngine On
SecDefaultAction "deny,phase:1,status:403"
SecRule REQUEST_URI ^http:/ "id:60014,severity:2,msg:'http Proxy access attempt'"
# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,id:60011,severity:2,msg:'GET or HEAD requests with bodies'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
# Restrict which request methods can be used
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|HEAD))$" "phase:1,id:60032,severity:2,msg:'Method is not allowed by policy'"
# Restrict protocol versions.
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:60034,severity:2,msg:'HTTP protocol version is not allowed by policy'"
# Don't accept transfer encodings we know we don't know how to handle
SecRule HTTP_Transfer-Encoding "!^$" "id:60013,severity:1,msg:'ModSecurity does not support transfer encodings'"
SecDefaultAction "deny,phase:2,status:403,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule ARGS:page "^http" "id:90000,severity:4,msg:'Arg_page with http'"
SecRule ARGS_NAMES "configdir" "id:90001,severity:4,msg:'Awstats attack'"
SecRule ARGS_NAMES "^php:/" "id:90002,severity:4,msg:'php attack'"
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" "id:90003,severity:4,msg:'phpBB attack'"
SecRule ARGS:phpbb_root_path "http" "id:90003,severity:4,msg:'phpBB rootpath attack'"
SecRule ARGS:mosConfig_absolute_path "http" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS:sbp "http" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS:task "vote" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS "c:/" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
SecRule ARGS "\.\./" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
SecRule ARGS "f:/" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
## -- SQL Injection Attacks --------------------------------------------------
# Generic
SecRule ARGS "delete[[:space:]]+from"
SecRule ARGS "drop[[:space:]]+database"
SecRule ARGS "drop[[:space:]]+table"
SecRule ARGS "drop[[:space:]]+column"
SecRule ARGS "truncate[[:space:]]+table"
SecRule ARGS "create[[::space:]]+table"
SecRule ARGS "update.+set.+="
SecRule ARGS "insert[[:space:]]+into.+values"
SecRule ARGS "select.+from"
SecRule ARGS "bulk[[:space:]]+insert"
SecRule ARGS "union.+select"
SecRule ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecRule ARGS "alter[[:space:]]+table"
SecRule ARGS "or 1=1--'"
SecRule ARGS "'.+--"
# MySQL
SecRule ARGS "into[[:space:]]+outfile"
SecRule ARGS "load[[:space:]]+data
SecRule ARGS "/\*.+\*/"
|
|
|
| Back to top |
|
chuck1rar
Joined: 07 Feb 2006
Posts: 13
|
| Posted: Tue 13 Mar '07 6:35 Post subject: mod_security and apache 2.2.4 |
|
|
Yeah sorry realised that later but removed all the rules and just tried starting apache with the modules enabled but when mod_security is enabled then apache will not start..
Any tips on how to debug this..
Nothing relevenat is in any of the logs..
Thanks |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 13 Mar '07 9:57 Post subject: |
|
|
What does the error.log tell about that error?
Did you download the right version for your apache? |
|
| Back to top |
|
chuck1rar
Joined: 07 Feb 2006
Posts: 13
|
| Posted: Tue 13 Mar '07 14:04 Post subject: error |
|
|
nothing in the error log at all cause apache fails to start...
Am using Apache 2.2.4 Win32 mod_ssl 2.2.4 OpenSSL 0.9.8e and JRUN4 CFMX7..
The version of mod_security I downloaded was 2.1.0...
Was working fine till I moved from apache 2.2.3...
Thanks |
|
| Back to top |
|
rebelo
Joined: 06 May 2007
Posts: 6
|
| Posted: Sun 06 May '07 18:02 Post subject: Re: error |
|
|
| chuck1rar wrote: | nothing in the error log at all cause apache fails to start...
Am using Apache 2.2.4 Win32 mod_ssl 2.2.4 OpenSSL 0.9.8e and JRUN4 CFMX7..
The version of mod_security I downloaded was 2.1.0...
Was working fine till I moved from apache 2.2.3...
Thanks |
Hi.
chuck1rar, how did You fix this matter ?
Having the same issue myself. |
|
| Back to top |
|
|
|
|
|
|
